SOLVED
Home

Missing security events 5139, all other events are there

Marc Vanderhaegen
Contributor

Hello,
We have a workspace with all our DCs. I am trying to find a specific eventID (5139) which occur when someone mode an AD object.
At first I tried the simplest query :
SecurityEvent | where EventID == "5139"
But it returned nothing.
I went to a specific DC, moved computers in AD, and I was able to clearly see the events in the Security log on the DC.
After a few minutes, I went back in Log Analytics
and used this query :
SecurityEvent | where Computer == "xxxxxxxxxxx" and EventID == "5139"
xxxxxxxxxxx is the DC.
Again, nothing has been found.
I reduced the time range with 2 minutes before and 2 minute atfer the event occured.
Again nothing.
I removed the eventid in the where clause to see all the events in the 4 minutes time lapse and evry events where there except the 5139 !!
I tried on another DC and had the exact same problem.
All the events an be found except the 5139.
I can find the events 4624, 4648, 4672, 5137 but no 5139.

What am I missing here ?
How is it possible that a single eventID number cannot be found in Log Analytics.

Can someone help me please ?
thanks
Marc

5 Replies

Hi,

What events are collected by Azure Security Center depends on what data collection level you have set. This is described here:

https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

Probably your ASC workspace is not configured to collect all security events.

Hello, 

Thanks for your answer.

I took a look at your link and if I try to go to the Security Center, everything is greyed out and I have the message Start your free trial.

FYI, the workspace I am in was created months ago when it was still OMS but we never really used the log analytics part.

 

So I need to ask my admin to buy a supplemental plan to have access to the Azure Security Center ?

Sorry if my question sounds silly.

 

Marc

 

 

Solution

No problem. Basically now you are using ASC already as that functionality is under ASC now. From security center dashboard if you open Security policy blade you will see your subscriptions and your workspaces. Click on edit settings for workspace should take you to the configuration of the workspace for ASC setting. There you can set the workspace data collection settings without having to explicitly enable ASC Standard tier as well. There are two options there: pricing tier - when set to standard basically deploys the Security and Audit solution (when it was in OMS). Data collection will allow you to set the settings on events collection. Hope this helps.

Thanks, I will try that

 

Marc

 

Thanks again for your help, it is perfectly working now.

 

Marc

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies